[3653] in WWW Security List Archive

home help back first fref pref prev next nref lref last post

Re: -remote option

daemon@ATHENA.MIT.EDU (Philippe Parmentier)
Mon Dec 2 07:26:09 1996

From: mol@ecmwf.int (Philippe Parmentier)
To: www-security@ns2.rutgers.edu (www-sec)
Date: Mon, 2 Dec 1996 10:24:12 +0000 (GMT)
Errors-To: owner-www-security@ns2.rutgers.edu

In a previous mail , Andrea Di Fabio wrote :
> 
> I have recently read about the remote attack which is possible
> thru the netscape -remote option, when your X server is running in
> xhost + mode.
> 
> Is there anyone out there who has a list of all commands accepted by
> the -remote option ?

http://home.netscape.com/newsref/std/x-remote.html
http://home.netscape.com/newsref/std/x-remote-proto.html
http://home.netscape.com/newsref/std/remote.c

> 
> Also, any idead on how to disable netscape from accepting remote
> commands when your Xserver is insecure ?

	I can't see how you could have it both ways, ie have an insecure
X server and protect netscape from remote control, so you have to think
about your X server security ...

	Use xauth for fine control or xhost -.

	The problem here is not netscape but X. With a scheme like:

myhost% xhost + bad
	anyone from bad can do quite a lot of things on myhost through the
X server, even if you do not allow remote shell between myhost and
bad. 

	Example:
	Start a client on myhost, say xeyes, with xhost + bad
myhost% xhost + bad
myhost% xeyes &

	Then from bad, do a:
bad% xlsclients -a -l -display myhost:0

you will get, among other, something like:

bad% Window 0x5000007:
	Machine:  myhost
	Name:  xeyes
	Icon Name:  xeyes
	Command:  xeyes
	Instance/Class:  xeyes/XEyes

Then you can do:
bad% xkill -id 0x5000007 -display myhost:0

	And guess what, you just killed a process on another machine without
using remote shell (if you did not own the process, it would just
have worked as fine).
	An there are a lot of other tricks you could use ...

This pointer is a list of pointers relating to X, from which several
relate to security and may be of interest:

http://www.rahul.net/kenton/xsites.html

Other X security pointers which are not in the above list:
http://sw.cse.bris.ac.uk/public/Xsecurity.html
http://www.ja.net/newsfiles/janinfo/cert/Braathen/X_security.txt
http://www.ja.net/newsfiles/janinfo/cert/Vickers/X_security.txt
http://www.beckman.uiuc.edu/groups/biss/VirtualLibrary/xsecurity.html

> 
> Thanks,
> 
> fabio.
> 
> 

--

 Philippe Parmentier	 E-mail : P.Parmentier@ecmwf.int
 Snail : ECMWF, Shinfield Park, Reading, Berkshire RG2 9AX, U.K.
home help back first fref pref prev next nref lref last post